书名：Practical Industrial Internet of Things Security
作者名：Sravani Bhattacharjee
本章字数：419字
更新时间：2021-07-23 18:56:13

Identity management across the device lifecycle

In IIoT identity management, the two important challenges are:

How to ensure digital uniqueness of devices
How to maintain digital uniqueness at the scale of millions (or forecasted billions) of deployed devices

In IT domains, the most common way to get an identity is to assign a unique username to an account, usually associated with a human user. Even in BYOD, the identity of mobile devices, such as tablets and smartphones, is tied to the owner's account, and they must be an authorized user of the corporate resources. The scale here is about two or three mobile devices per user. In a highly scaled IIoT use case involving millions of devices, to provision individual usernames would be anything but practical. Besides, IIoT devices typically don't have "users".

This requires the use of other forms of unique device identifiers. In addition to uniqueness, the more intrinsically the identifier correlates to the device, the better the scalability and reliability will be. Some unique identifier options are as follows.

UUID and ESNs: RFC 4122 defines a globally unique device namespace convention, known as a universally unique identifier (UUID), also known as a globally unique identifier (GUID). UUIDs are 128 bits in length, do not require any centralized authority to administer them, and are aligned with ISO/IEC 9834-8. UUIDs are unique and persistent; their generation algorithm supports very high allocation rates of up to 10 million per second per machine if necessary (RFC-4122).

Another option for contextually unique identifiers is electronic serial numbers (ESNs). A device manufacturing organization can also define their own device naming namespace, which can augment UUIDs and ESNs.

Unique device naming can also be achieved by combining multiple defining attributes for a device, such as manufacturer, serial number, type, deployment date, location, and so on. However, this may be less scalable from a provisioning standpoint. Even on a low scale, this presents a painful experience to maintain over time.

In the highly matrixed IIoT ecosystem, there are also a number of emerging identity vendors, who provide identity-as-a-service, where subscription-based randomly generated device identifier keys are made available.

IIoT deployments are predominantly brownfield, which means older machines and devices that are not individually upgradable to connect to the cloud will continue to coexist with newly manufactured IoT devices. Identity gateways need to be used to manage the identity for the older devices.

Now, let's evaluate some of the authentication and authorization techniques that have already been tried in enterprise IT networks.